Search

Editors

Richard L. Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Elizabeth K. Spahn Editor Emeritus

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor


FCPA Blog Daily News

« Two more Swiss banks penalized for helping U.S. tax cheats | Main | Former CEO of redlight camera operator pleads guilty to Ohio bribes »
Tuesday
Jun232015

Joseph Spinelli: Risk assessment best practices

The DOJ and SEC expect diverse functional areas of organizations to participate in compliance risk assessments. Among them are compliance, legal, internal audit, procurement, and finance. Human resources, marketing, and public relations also usually have a role.

The key is ensuring that whoever conducts the risk assessment understands the regulatory requirements and current industry best practices.

The risk assessment should seek to measure both inherent and residual risk. Once the risks are measured, the organization can then determine the adequacy of its mitigating controls.

The FCPA Guidance from the DOJ and SEC said risks to be addressed when conducting risk assessments should include:

Internal Risks: Deficiencies in employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks, employee and third party training or skill sets, and ambiguity in the policy on gifts, entertainment and travel expenses.

For example, Kroll’s ABC report shows that a majority (52%) of compliance officers are not confident in their financial controls to catch potential books-and-records violations of the FCPA. The single biggest reason for worry is “poor reporting relationships or collaboration,” where finance department employees would know to bring concerns about possible improper payments to the compliance officer.

Country or External Risks: High levels of corruption highlighted by Transparency International on its Corruption Perceptions Index which lack transparent procurement and investment policies and a culture that doesn't discipline offenders.

Transaction Risks: Charitable or political contributions, and practices in obtaining licenses and permits.

Foreign Official Risks: Foreign business partners located in high-risk jurisdictions.

A risk assessment should be conducted under attorney-client privilege. That's the best way to protect against disclosure in the event of a criminal investigation or private litigation.

Within the privilege, risk assessment results are customarily reported to the legal and compliance departments. Legal and compliance may in turn report the results to management and the board or a committee of the board.

In the next post, I'll discuss how risk assessments should be conducted to cover both the FCPA and U.K. Bribery Act.

________

Joseph Spinelli is a Senior Managing Director at Kroll. He was the first Inspector General for New York State and has enjoyed a career spanning more than 30 years in private and public service across many fields, including in FCPA, anti-bribery and corruption, monitorships and white collar investigations. He can be contacted here.

Reader Comments (1)

According my experience, the best practice to avoid bribery and corruption in several investment projects is to assess the risks from the bid stage or the first intention to do business with private or public customers.
June 23, 2015 | Unregistered CommenterEduardo Garcia
Comments for this entry have been disabled. Additional comments may not be added to this entry at this time.